[原文]Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.

-
漏洞信息 (20911)

source: http://www.securityfocus.com/bid/2852/info
A vulnerability exists when Apache webserver is used with Mac OS X Client.
The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apache's filtering is case sensitive. The result is that Apache will filter all file requests that match filters exactly (including case), but it will not filter requests made with mixed or upper case characters. Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed.
The impact is that arbitrary privileged files may be disclosed to unprivileged remote users.
The following request will result in a 403 Forbidden as excpected:
GET /test/index.html
But the following request will happily serve the file:
GET /TeSt/index.html

-
漏洞信息

-
漏洞描述

Mac OS X contains a flaw that may allow a malicious user to bypass Apache access controls. The issue is the case-insensitivity of the HFS+ filesystem, which can be exploited to access restricted directories, by changing the case of one or more characters. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality.

-
时间线

公开日期:
2001-06-10

发现日期:
Unknow

利用日期:2001-06-10

解决日期:Unknow

-
解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

-
漏洞讨论

A vulnerability exists when Apache webserver is used with Mac OS X Client.

The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apache's filtering is case sensitive. The result is that Apache will filter all file requests that match filters exactly (including case), but it will not filter requests made with mixed or upper case characters. Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed.

The impact is that arbitrary privileged files may be disclosed to unprivileged remote users.

-
漏洞利用

This example was supplied by Stefan Arentz &lt;stefan.arentz@soze.com&gt;: